sandbox/apparmor: do not skip apparmor 4 from the host

The state of AppArmor 4 in Ubuntu 24.04 and 24.10 is now sufficient for using in snapd. While we have no guarantee that everone has updated the classic package, it is better than falling back to AppArmor 4 with ABI 3.0 like we used to. Signed-off-by: Zygmunt Krynicki <[email protected]>
canonical · Jul 9, 2024 · 6853098 · 6853098
1 parent 6ff315b
commit 6853098
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 8 deletions.
diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
@@ -783,15 +783,8 @@ func AppArmorParser() (cmd *exec.Cmd, internal bool, err error) {
 	for _, dir := range filepath.SplitList(parserSearchPath) {
 		path := filepath.Join(dir, "apparmor_parser")
 		if _, err := os.Stat(path); err == nil {
-			// Detect but ignore apparmor 4.0 ABI support.
-			//
-			// At present this causes some bugs with mqueue mediation that can
-			// be avoided by pinning to 3.0 (which is also supported on
-			// apparmor 4). Once the mqueue issue is analyzed and fixed, this
-			// can be replaced with a --policy-features=hostAbi40File pin like
-			// we do below.
 			if fi, err := os.Lstat(hostAbi40File); err == nil && !fi.IsDir() {
-				logger.Debugf("apparmor 4.0 ABI detected but ignored")
+				return exec.Command(path, "--policy-features", hostAbi40File), false, nil
 			}
 
 			// Perhaps 3.0?

diff --git a/sandbox/apparmor/apparmor_test.go b/sandbox/apparmor/apparmor_test.go
@@ -75,6 +75,81 @@ func (*apparmorSuite) TestAppArmorParser(c *C) {
 	c.Check(err, Equals, nil)
 }
 
+func (*apparmorSuite) TestAppArmorHostAppArmorParserWithJustAbi3(c *C) {
+	fakeroot := c.MkDir()
+	dirs.SetRootDir(fakeroot)
+
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+
+	restore := apparmor.MockParserSearchPath(mockParserCmd.BinDir())
+	defer restore()
+
+	restore = apparmor.MockSnapdAppArmorSupportsReexec(func() bool { return false })
+	defer restore()
+
+	abiDir := filepath.Join(fakeroot, "etc", "apparmor.d", "abi")
+	c.Assert(os.MkdirAll(abiDir, 0755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(abiDir, "3.0"), nil, 0755), IsNil)
+
+	cmd, internal, err := apparmor.AppArmorParser()
+	c.Check(err, IsNil)
+	c.Check(cmd.Path, Equals, mockParserCmd.Exe())
+	c.Check(cmd.Args, DeepEquals, []string{mockParserCmd.Exe(), "--policy-features", filepath.Join(abiDir, "3.0")})
+	c.Check(internal, Equals, false)
+}
+
+
+func (*apparmorSuite) TestAppArmorHostAppArmorParserWithAbi3And4(c *C) {
+	fakeroot := c.MkDir()
+	dirs.SetRootDir(fakeroot)
+
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+
+	restore := apparmor.MockParserSearchPath(mockParserCmd.BinDir())
+	defer restore()
+
+	restore = apparmor.MockSnapdAppArmorSupportsReexec(func() bool { return false })
+	defer restore()
+
+	abiDir := filepath.Join(fakeroot, "etc", "apparmor.d", "abi")
+	c.Assert(os.MkdirAll(abiDir, 0755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(abiDir, "3.0"), nil, 0755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(abiDir, "4.0"), nil, 0755), IsNil)
+
+	cmd, internal, err := apparmor.AppArmorParser()
+	c.Check(err, IsNil)
+	c.Check(cmd.Path, Equals, mockParserCmd.Exe())
+	// When both are present, ABI 4 is preferred.
+	c.Check(cmd.Args, DeepEquals, []string{mockParserCmd.Exe(), "--policy-features", filepath.Join(abiDir, "4.0")})
+	c.Check(internal, Equals, false)
+}
+
+func (*apparmorSuite) TestAppArmorHostAppArmorParserWithJustAbi4(c *C) {
+	fakeroot := c.MkDir()
+	dirs.SetRootDir(fakeroot)
+
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+
+	restore := apparmor.MockParserSearchPath(mockParserCmd.BinDir())
+	defer restore()
+
+	restore = apparmor.MockSnapdAppArmorSupportsReexec(func() bool { return false })
+	defer restore()
+
+	abiDir := filepath.Join(fakeroot, "etc", "apparmor.d", "abi")
+	c.Assert(os.MkdirAll(abiDir, 0755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(abiDir, "4.0"), nil, 0755), IsNil)
+
+	cmd, internal, err := apparmor.AppArmorParser()
+	c.Check(err, IsNil)
+	c.Check(cmd.Path, Equals, mockParserCmd.Exe())
+	c.Check(cmd.Args, DeepEquals, []string{mockParserCmd.Exe(), "--policy-features", filepath.Join(abiDir, "4.0")})
+	c.Check(internal, Equals, false)
+}
+
 func (*apparmorSuite) TestAppArmorInternalAppArmorParser(c *C) {
 	fakeroot := c.MkDir()
 	dirs.SetRootDir(fakeroot)